sys-auth/keystone: fix CVE-2017-2673

Package-Manager: Portage-2.3.3, Repoman-2.3.1

4 files changed, 521 insertions, 0 deletions

diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch b/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch
new file mode 100644
index 00000000000..0f64ed5f6a6
--- /dev/null
+++ b/sys-auth/keystone/files/cve-2017-2673-stable-newton.patch
@@ -0,0 +1,82 @@
+From db468d6fc0a9082d84081cf4c74e4cf366b8d4be Mon Sep 17 00:00:00 2001
+From: Boris Bobrov <breton@cynicmansion.ru>
+Date: Mon, 17 Apr 2017 00:28:07 +0300
+Subject: [PATCH] Do not fetch group assignments without groups
+
+Without the change, the method fetched all assignments for a project
+or domain, regardless of who has the assignment, user or group. This
+led to situation when federated user without groups could scope a token
+with other user's rules.
+
+Return empty list of assignments if no groups were passed.
+
+Closes-Bug: 1677723
+Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
+(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3)
+
+Conflicts:
+	keystone/tests/unit/test_v3_federation.py -- removed irrelevant
+						     tests
+---
+ keystone/assignment/core.py               |  5 +++++
+ keystone/tests/unit/test_v3_federation.py | 28 ++++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
+index e549abb..6a6717a 100644
+--- a/keystone/assignment/core.py
++++ b/keystone/assignment/core.py
+@@ -165,6 +165,11 @@ class Manager(manager.Manager):
+ 
+     def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
+         """Get a list of roles for this group on domain and/or project."""
++        # if no group ids were passed, there are no roles. Without this check,
++        # all assignments for the project or domain will be fetched,
++        # which is not what we want.
++        if not group_ids:
++            return []
+         if project_id is not None:
+             self.resource_api.get_project(project_id)
+             assignment_list = self.list_role_assignments(
+diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
+index f3e9baa..1a7ce40 100644
+--- a/keystone/tests/unit/test_v3_federation.py
++++ b/keystone/tests/unit/test_v3_federation.py
+@@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
+         token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
+         self.assertEqual(0, len(token_groups))
+ 
++    def test_issue_scoped_token_no_groups(self):
++        """Verify that token without groups cannot get scoped to project.
++
++        This test is required because of bug 1677723.
++        """
++        # issue unscoped token with no groups
++        r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
++        self.assertIsNotNone(r.headers.get('X-Subject-Token'))
++        token_resp = r.json_body
++        token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
++        self.assertEqual(0, len(token_groups))
++        unscoped_token = r.headers.get('X-Subject-Token')
++
++        # let admin get roles in a project
++        self.proj_employees
++        admin = unit.new_user_ref(CONF.identity.default_domain_id)
++        self.identity_api.create_user(admin)
++        self.assignment_api.create_grant(self.role_admin['id'],
++                                         user_id=admin['id'],
++                                         project_id=self.proj_employees['id'])
++
++        # try to scope the token. It should fail
++        scope = self._scope_request(
++            unscoped_token, 'project', self.proj_employees['id']
++        )
++        self.v3_create_token(
++            scope, expected_status=http_client.UNAUTHORIZED)
++
+     def test_issue_unscoped_token_malformed_environment(self):
+         """Test whether non string objects are filtered out.
+ 
+-- 
+2.1.4
+
diff --git a/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch b/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch
new file mode 100644
index 00000000000..abf17489cd9
--- /dev/null
+++ b/sys-auth/keystone/files/cve-2017-2673-stable-ocata.patch
@@ -0,0 +1,115 @@
+From 3fb363dc8331f1970e62d139d33da3f51f607ebe Mon Sep 17 00:00:00 2001
+From: Boris Bobrov <breton@cynicmansion.ru>
+Date: Mon, 17 Apr 2017 00:28:07 +0300
+Subject: [PATCH] Do not fetch group assignments without groups
+
+Without the change, the method fetched all assignments for a project
+or domain, regardless of who has the assignment, user or group. This
+led to situation when federated user without groups could scope a token
+with other user's rules.
+
+Return empty list of assignments if no groups were passed.
+
+Closes-Bug: 1677723
+Change-Id: I65f5be915bef2f979e70b043bde27064e970349d
+(cherry picked from commit d61fc5b707a5209104b194d84e22eede84efccb3)
+---
+ keystone/assignment/core.py               |  5 +++
+ keystone/tests/unit/test_v3_federation.py | 58 +++++++++++++++++++++++++++++++
+ 2 files changed, 63 insertions(+)
+
+diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
+index eccc22d..8fba77e 100644
+--- a/keystone/assignment/core.py
++++ b/keystone/assignment/core.py
+@@ -126,6 +126,11 @@ class Manager(manager.Manager):
+ 
+     def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None):
+         """Get a list of roles for this group on domain and/or project."""
++        # if no group ids were passed, there are no roles. Without this check,
++        # all assignments for the project or domain will be fetched,
++        # which is not what we want.
++        if not group_ids:
++            return []
+         if project_id is not None:
+             self.resource_api.get_project(project_id)
+             assignment_list = self.list_role_assignments(
+diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
+index 0f5148f..03509b8 100644
+--- a/keystone/tests/unit/test_v3_federation.py
++++ b/keystone/tests/unit/test_v3_federation.py
+@@ -1908,6 +1908,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
+         token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
+         self.assertEqual(0, len(token_groups))
+ 
++    def test_issue_scoped_token_no_groups(self):
++        """Verify that token without groups cannot get scoped to project.
++
++        This test is required because of bug 1677723.
++        """
++        # issue unscoped token with no groups
++        r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION')
++        self.assertIsNotNone(r.headers.get('X-Subject-Token'))
++        token_resp = r.json_body
++        token_groups = token_resp['token']['user']['OS-FEDERATION']['groups']
++        self.assertEqual(0, len(token_groups))
++        unscoped_token = r.headers.get('X-Subject-Token')
++
++        # let admin get roles in a project
++        self.proj_employees
++        admin = unit.new_user_ref(CONF.identity.default_domain_id)
++        self.identity_api.create_user(admin)
++        self.assignment_api.create_grant(self.role_admin['id'],
++                                         user_id=admin['id'],
++                                         project_id=self.proj_employees['id'])
++
++        # try to scope the token. It should fail
++        scope = self._scope_request(
++            unscoped_token, 'project', self.proj_employees['id']
++        )
++        self.v3_create_token(
++            scope, expected_status=http_client.UNAUTHORIZED)
++
+     def test_issue_unscoped_token_malformed_environment(self):
+         """Test whether non string objects are filtered out.
+ 
+@@ -3319,6 +3347,36 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
+                 self.expected_results[project_name], roles[0]['name']
+             )
+ 
++    def test_user_gets_only_assigned_roles(self):
++        # in bug 1677723 user could get roles outside of what was assigned
++        # to them. This test verifies that this is no longer true.
++        # Authenticate once to create the projects
++        response = self._issue_unscoped_token()
++        self.assertValidMappedUser(response.json_body['token'])
++        unscoped_token = response.headers.get('X-Subject-Token')
++
++        # Assign admin role to newly-created project to another user
++        staging_project = self.resource_api.get_project_by_name(
++            'Staging', self.idp['domain_id']
++        )
++        admin = unit.new_user_ref(CONF.identity.default_domain_id)
++        self.identity_api.create_user(admin)
++        self.assignment_api.create_grant(self.role_admin['id'],
++                                         user_id=admin['id'],
++                                         project_id=staging_project['id'])
++
++        # Authenticate again with the federated user and verify roles
++        response = self._issue_unscoped_token()
++        self.assertValidMappedUser(response.json_body['token'])
++        unscoped_token = response.headers.get('X-Subject-Token')
++        scope = self._scope_request(
++            unscoped_token, 'project', staging_project['id']
++        )
++        response = self.v3_create_token(scope)
++        roles = response.json_body['token']['roles']
++        role_ids = [r['id'] for r in roles]
++        self.assertNotIn(self.role_admin['id'], role_ids)
++
+ 
+ class JsonHomeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
+     JSON_HOME_DATA = {
+-- 
+2.1.4
+
diff --git a/sys-auth/keystone/keystone-10.0.1-r1.ebuild b/sys-auth/keystone/keystone-10.0.1-r1.ebuild
new file mode 100644
index 00000000000..d224cc06e4f
--- /dev/null
+++ b/sys-auth/keystone/keystone-10.0.1-r1.ebuild
@@ -0,0 +1,165 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 python3_4 )
+
+inherit distutils-r1 user
+
+DESCRIPTION="The Openstack authentication, authorization, and service catalog"
+HOMEPAGE="https://launchpad.net/keystone"
+SRC_URI="https://tarballs.openstack.org/${PN}/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE="+sqlite ldap memcached mongo mysql postgres test"
+REQUIRED_USE="|| ( mysql postgres sqlite )"
+
+CDEPEND=">=dev-python/pbr-1.6[${PYTHON_USEDEP}]"
+DEPEND="
+	dev-python/setuptools[${PYTHON_USEDEP}]
+	${CDEPEND}"
+RDEPEND="
+	${CDEPEND}
+	>=dev-python/Babel-2.3.4[${PYTHON_USEDEP}]
+	>=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}]
+	>=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}]
+	dev-python/paste[${PYTHON_USEDEP}]
+	>=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
+	!~dev-python/routes-2.0[${PYTHON_USEDEP}]
+	!~dev-python/routes-2.1[$(python_gen_usedep 'python2_7')]
+	!~dev-python/routes-2.3.0[${PYTHON_USEDEP}]
+	>=dev-python/cryptography-1.0[${PYTHON_USEDEP}]
+	!~dev-python/cryptography-1.3.0[${PYTHON_USEDEP}]
+	>=dev-python/six-1.9.0[${PYTHON_USEDEP}]
+	sqlite? (
+		>=dev-python/sqlalchemy-1.0.10[sqlite,${PYTHON_USEDEP}]
+		<dev-python/sqlalchemy-1.1.0[sqlite,${PYTHON_USEDEP}]
+	)
+	mysql? (
+		>=dev-python/pymysql-0.6.2[${PYTHON_USEDEP}]
+		!~dev-python/pymysql-0.7.7[${PYTHON_USEDEP}]
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		<dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}]
+	)
+	postgres? (
+		>=dev-python/psycopg-2.5.0[${PYTHON_USEDEP}]
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		<dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}]
+	)
+	>=dev-python/sqlalchemy-migrate-0.9.6[${PYTHON_USEDEP}]
+	>=dev-python/stevedore-1.16.0[${PYTHON_USEDEP}]
+	>=dev-python/passlib-1.6[${PYTHON_USEDEP}]
+	>=dev-python/python-keystoneclient-2.0.0[${PYTHON_USEDEP}]
+	!~dev-python/python-keystoneclient-2.1.0[${PYTHON_USEDEP}]
+	>=dev-python/keystonemiddleware-4.0.0[${PYTHON_USEDEP}]
+	!~dev-python/keystonemiddleware-4.1.0[${PYTHON_USEDEP}]
+	!~dev-python/keystonemiddleware-4.5.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-cache-1.5.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-concurrency-3.8.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-config-3.14.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-context-2.9.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-messaging-5.2.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-db-4.10.0[${PYTHON_USEDEP}]
+	!~dev-python/oslo-db-4.13.1[${PYTHON_USEDEP}]
+	!~dev-python/oslo-db-4.13.2[${PYTHON_USEDEP}]
+	>=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-log-1.14.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-middleware-3.0.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-policy-1.9.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-serialization-1.10.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-utils-3.16.0[${PYTHON_USEDEP}]
+	>=dev-python/oauthlib-0.6.0[${PYTHON_USEDEP}]
+	>=dev-python/pysaml2-2.4.0[${PYTHON_USEDEP}]
+	<dev-python/pysaml2-4.0.3[${PYTHON_USEDEP}]
+	>=dev-python/dogpile-cache-0.6.2[${PYTHON_USEDEP}]
+	>=dev-python/jsonschema-2.0.0[${PYTHON_USEDEP}]
+	!~dev-python/jsonschema-2.5.0[${PYTHON_USEDEP}]
+	<dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}]
+	>=dev-python/pycadf-1.1.0[${PYTHON_USEDEP}]
+	!~dev-python/pycadf-2.0.0[${PYTHON_USEDEP}]
+	>=dev-python/msgpack-0.4.0[${PYTHON_USEDEP}]
+	>=dev-python/osprofiler-1.4.0[${PYTHON_USEDEP}]
+	memcached? (
+		>=dev-python/python-memcached-1.56[${PYTHON_USEDEP}]
+	)
+	mongo? (
+		>=dev-python/pymongo-3.0.2[${PYTHON_USEDEP}]
+		!~dev-python/pymongo-3.1[${PYTHON_USEDEP}]
+	)
+	ldap? (
+		>=dev-python/pyldap-2.4[${PYTHON_USEDEP}]
+		>=dev-python/ldappool-2.0.0[${PYTHON_USEDEP}]
+	)
+	|| (
+		www-servers/uwsgi[python,${PYTHON_USEDEP}]
+		www-apache/mod_wsgi[${PYTHON_USEDEP}]
+		www-servers/gunicorn[${PYTHON_USEDEP}]
+	)"
+
+PATCHES=(
+	"${FILESDIR}/cve-2017-2673-stable-newton.patch"
+)
+
+pkg_setup() {
+	enewgroup keystone
+	enewuser keystone -1 -1 /var/lib/keystone keystone
+}
+
+python_prepare_all() {
+	# it's in git, but not in the tarball.....
+	sed -i '/^hacking/d' test-requirements.txt || die
+	mkdir -p ${PN}/tests/tmp/ || die
+	cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die
+	sed -i 's|/usr/local|/usr|g' httpd/keystone-uwsgi-* || die
+	sed -i 's|python|python27|g' httpd/keystone-uwsgi-* || die
+	distutils-r1_python_prepare_all
+}
+
+# Ignore (naughty) test_.py files & 1 test that connect to the network
+#-I 'test_keystoneclient*' \
+python_test() {
+	nosetests -I 'test_keystoneclient*' \
+		-e test_static_translated_string_is_Message \
+		-e test_get_token_id_error_handling \
+		-e test_provider_token_expiration_validation \
+		-e test_import --process-restartworker --process-timeout=60 || die "testsuite failed under python2.7"
+}
+
+python_install() {
+	distutils-r1_python_install
+
+	diropts -m 0750
+	keepdir /etc/keystone /var/log/keystone
+	insinto /etc/keystone
+	insopts -m0640 -okeystone -gkeystone
+	doins etc/keystone.conf.sample etc/logging.conf.sample
+	doins etc/default_catalog.templates etc/policy.json
+	doins etc/policy.v3cloudsample.json etc/keystone-paste.ini
+	insinto /etc/keystone/httpd
+	doins httpd/*
+
+	fowners keystone:keystone /etc/keystone /etc/keystone/httpd /var/log/keystone
+}
+
+pkg_postinst() {
+	elog "You might want to run:"
+	elog "emerge --config =${CATEGORY}/${PF}"
+	elog "if this is a new install."
+	elog "If you have not already configured your openssl installation"
+	elog "please do it by modifying /etc/ssl/openssl.cnf"
+	elog "BEFORE issuing the configuration command."
+	elog "Otherwise default values will be used."
+}
+
+pkg_config() {
+	if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then
+		einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..."
+		read
+		"${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
+	else
+		einfo "keystone PKI certificates directory already present, skipping configuration"
+	fi
+}
diff --git a/sys-auth/keystone/keystone-11.0.0-r1.ebuild b/sys-auth/keystone/keystone-11.0.0-r1.ebuild
new file mode 100644
index 00000000000..1176d3d6378
--- /dev/null
+++ b/sys-auth/keystone/keystone-11.0.0-r1.ebuild
@@ -0,0 +1,159 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 python3_4 )
+
+inherit distutils-r1 user
+
+DESCRIPTION="The Openstack authentication, authorization, and service catalog"
+HOMEPAGE="https://launchpad.net/keystone"
+SRC_URI="https://tarballs.openstack.org/${PN}/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE="+sqlite ldap memcached mongo mysql postgres test"
+REQUIRED_USE="|| ( mysql postgres sqlite )"
+
+CDEPEND=">=dev-python/pbr-1.8[${PYTHON_USEDEP}]"
+DEPEND="
+	dev-python/setuptools[${PYTHON_USEDEP}]
+	${CDEPEND}"
+RDEPEND="
+	${CDEPEND}
+	>=dev-python/Babel-2.3.4[${PYTHON_USEDEP}]
+	>=dev-python/webob-1.6.0[${PYTHON_USEDEP}]
+	>=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}]
+	dev-python/paste[${PYTHON_USEDEP}]
+	>=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
+	!~dev-python/routes-2.0[${PYTHON_USEDEP}]
+	!~dev-python/routes-2.1[$(python_gen_usedep 'python2_7')]
+	!~dev-python/routes-2.3.0[${PYTHON_USEDEP}]
+	>=dev-python/cryptography-1.0[${PYTHON_USEDEP}]
+	!~dev-python/cryptography-1.3.0[${PYTHON_USEDEP}]
+	>=dev-python/six-1.9.0[${PYTHON_USEDEP}]
+	sqlite? (
+		>=dev-python/sqlalchemy-1.0.10[sqlite,${PYTHON_USEDEP}]
+		<dev-python/sqlalchemy-1.1.0[sqlite,${PYTHON_USEDEP}]
+	)
+	mysql? (
+		>=dev-python/pymysql-0.7.6[${PYTHON_USEDEP}]
+		!~dev-python/pymysql-0.7.7[${PYTHON_USEDEP}]
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		<dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}]
+	)
+	postgres? (
+		>=dev-python/psycopg-2.5.0[${PYTHON_USEDEP}]
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		<dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}]
+	)
+	>=dev-python/sqlalchemy-migrate-0.9.6[${PYTHON_USEDEP}]
+	>=dev-python/stevedore-1.17.1[${PYTHON_USEDEP}]
+	>=dev-python/passlib-1.7.0[${PYTHON_USEDEP}]
+	>=dev-python/python-keystoneclient-3.8.0[${PYTHON_USEDEP}]
+	>=dev-python/keystonemiddleware-4.12.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-cache-1.5.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-concurrency-3.8.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-config-3.14.0[${PYTHON_USEDEP}]
+	!~dev-python/oslo-config-3.18.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-context-2.9.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-messaging-5.14.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-db-4.15.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-log-3.11.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-middleware-3.0.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-policy-1.17.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-serialization-1.10.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-utils-3.18.0[${PYTHON_USEDEP}]
+	>=dev-python/oauthlib-0.6.0[${PYTHON_USEDEP}]
+	>=dev-python/pysaml2-2.4.0[${PYTHON_USEDEP}]
+	<dev-python/pysaml2-4.0.3[${PYTHON_USEDEP}]
+	>=dev-python/dogpile-cache-0.6.2[${PYTHON_USEDEP}]
+	>=dev-python/jsonschema-2.0.0[${PYTHON_USEDEP}]
+	!~dev-python/jsonschema-2.5.0[${PYTHON_USEDEP}]
+	<dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}]
+	>=dev-python/pycadf-1.1.0[${PYTHON_USEDEP}]
+	!~dev-python/pycadf-2.0.0[${PYTHON_USEDEP}]
+	>=dev-python/msgpack-0.4.0[${PYTHON_USEDEP}]
+	>=dev-python/osprofiler-1.4.0[${PYTHON_USEDEP}]
+	memcached? (
+		>=dev-python/python-memcached-1.56[${PYTHON_USEDEP}]
+	)
+	mongo? (
+		>=dev-python/pymongo-3.0.2[${PYTHON_USEDEP}]
+		!~dev-python/pymongo-3.1[${PYTHON_USEDEP}]
+	)
+	ldap? (
+		>=dev-python/pyldap-2.4.20[${PYTHON_USEDEP}]
+		>=dev-python/ldappool-2.0.0[${PYTHON_USEDEP}]
+	)
+	|| (
+		www-servers/uwsgi[python,${PYTHON_USEDEP}]
+		www-apache/mod_wsgi[${PYTHON_USEDEP}]
+		www-servers/gunicorn[${PYTHON_USEDEP}]
+	)"
+
+PATCHES=(
+	"${FILESDIR}/cve-2017-2673-stable-ocata.patch"
+)
+
+pkg_setup() {
+	enewgroup keystone
+	enewuser keystone -1 -1 /var/lib/keystone keystone
+}
+
+python_prepare_all() {
+	# it's in git, but not in the tarball.....
+	sed -i '/^hacking/d' test-requirements.txt || die
+	mkdir -p ${PN}/tests/tmp/ || die
+	cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die
+	sed -i 's|/usr/local|/usr|g' httpd/keystone-uwsgi-* || die
+	sed -i 's|python|python27|g' httpd/keystone-uwsgi-* || die
+	distutils-r1_python_prepare_all
+}
+
+python_test() {
+	nosetests -I 'test_keystoneclient*' \
+		-e test_static_translated_string_is_Message \
+		-e test_get_token_id_error_handling \
+		-e test_provider_token_expiration_validation \
+		-e test_import --process-restartworker --process-timeout=60 || die "testsuite failed under python2.7"
+}
+
+python_install_all() {
+	distutils-r1_python_install_all
+
+	diropts -m 0750
+	keepdir /etc/keystone /var/log/keystone
+	insinto /etc/keystone
+	insopts -m0640 -okeystone -gkeystone
+	doins etc/keystone.conf.sample etc/logging.conf.sample
+	doins etc/default_catalog.templates etc/policy.json
+	doins etc/policy.v3cloudsample.json etc/keystone-paste.ini
+	insinto /etc/keystone/httpd
+	doins httpd/*
+
+	fowners keystone:keystone /etc/keystone /etc/keystone/httpd /var/log/keystone
+}
+
+pkg_postinst() {
+	elog "You might want to run:"
+	elog "emerge --config =${CATEGORY}/${PF}"
+	elog "if this is a new install."
+	elog "If you have not already configured your openssl installation"
+	elog "please do it by modifying /etc/ssl/openssl.cnf"
+	elog "BEFORE issuing the configuration command."
+	elog "Otherwise default values will be used."
+}
+
+pkg_config() {
+	if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then
+		einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..."
+		read
+		"${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
+	else
+		einfo "keystone PKI certificates directory already present, skipping configuration"
+	fi
+}